New report, with the updates from chains-project/dirty-waters#39
How to read the results 📖
Dirty-waters has analyzed your project dependencies and found different categories for each of them:
-
⚠️ ⚠️ ⚠️ : high severity -
⚠️ ⚠️ : medium severity -
⚠️ : low severity
❗ Packages with no Source Code URL(
⛔ Packages with Github URLs that are 404(
🔧 Packages with accessible source code repos but inaccessible GitHub tags(
🌵 Packages that are forks(
🐬 For further information about software supply chain smells in your project, take a look at the following tables.
Source code links that could not be found(82)
List of packages with available source code repos but with inaccessible tags(100)
| package_name | release_tag_exists | tag_version | github_url | tag_related_info | status_code_for_release_tag |
|---|---|---|---|---|---|
| commons-codec:[email protected] | False | 1.17.1 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.checkerframework:[email protected] | False | 3.12.0 | https://github.com/typetools/checker-framework | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 4.2.2 | https://github.com/diffplug/durian-swt | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.eclipse.jdt:[email protected] | False | 3.38.0 | https://github.com/eclipse-jdt/eclipse.jdt.core | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.9.18 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.4.1 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.2.0 | https://github.com/codehaus-plexus/plexus-containers | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| commons-codec:[email protected] | False | 1.17.0 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.wagon:[email protected] | False | 3.5.3 | https://github.com/apache/maven-wagon | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.eclipse.jdt:[email protected] | False | 3.38.0 | https://github.com/eclipse-jdt/eclipse.jdt.core | The given tag was not found in the repo | 404 |
| org.eclipse.platform:[email protected] | False | 3.18.300 | https://github.com/eclipse-equinox/equinox | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 1.3.0 | https://github.com/codehaus-plexus/plexus-languages | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| commons-codec:[email protected] | False | 1.16.0 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.15.0 | https://github.com/codehaus-plexus/plexus-compiler | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.15.0 | https://github.com/codehaus-plexus/plexus-compiler | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.httpcomponents:[email protected] | False | 4.4.16 | https://github.com/apache/httpcomponents-core | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 1.2.0 | https://github.com/diffplug/durian | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.9.18 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| com.mysema.querydsl:[email protected] | False | 3.7.4 | https://github.com/querydsl/querydsl | The given tag was not found in the repo | 404 |
| com.diffplug.spotless:[email protected] | False | 2.45.0 | https://github.com/diffplug/spotless | The given tag was not found in the repo | 404 |
| org.apache.maven.plugins:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| com.diffplug.spotless:[email protected] | False | 2.45.0 | https://github.com/diffplug/spotless | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.jetbrains:[email protected] | False | 13.0 | https://github.com/jetbrains/intellij-community | The given tag was not found in the repo | 404 |
| dev.equo.ide:[email protected] | False | 1.7.5 | https://github.com/equodev/equo-ide | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.junit.platform:[email protected] | False | 1.11.2 | https://github.com/junit-team/junit5 | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.plugin-tools:[email protected] | False | 3.12.0 | https://github.com/apache/maven-plugin-tools | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M19 | https://github.com/apache/maven-doxia-sitetools | The given tag was not found in the repo | 404 |
| org.checkerframework:[email protected] | False | 3.43.0 | https://github.com/typetools/checker-framework | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven.plugins:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.6.0 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.4.1 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.junit.platform:[email protected] | False | 1.11.2 | https://github.com/junit-team/junit5 | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.httpcomponents:[email protected] | False | 4.5.14 | https://github.com/apache/httpcomponents-client | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| commons-codec:[email protected] | False | 1.16.1 | https://github.com/apache/commons-codec | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| org.apache.maven.plugin-tools:[email protected] | False | 3.6.4 | https://github.com/apache/maven-plugin-tools | The given tag was not found in the repo | 404 |
| org.apache.sshd:[email protected] | False | 2.7.0 | https://github.com/apache/mina-sshd | The given tag was not found in the repo | 404 |
| org.junit.platform:[email protected] | False | 1.11.2 | https://github.com/junit-team/junit5 | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0-M12 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 1.2.0 | https://github.com/codehaus-plexus/plexus-languages | The given tag was not found in the repo | 404 |
| com.diffplug.spotless:[email protected] | False | 2.43.0 | https://github.com/diffplug/spotless | The given tag was not found in the repo | 404 |
| org.apache.maven.resolver:[email protected] | False | 1.6.3 | https://github.com/apache/maven-resolver | The given tag was not found in the repo | 404 |
| org.apache.maven:[email protected] | False | 3.8.5 | https://github.com/apache/maven | The given tag was not found in the repo | 404 |
| org.javassist:[email protected] | False | 3.28.0-GA | https://github.com/jboss-javassist/javassist | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 1.2.0 | https://github.com/diffplug/durian | The given tag was not found in the repo | 404 |
| org.apache.maven.release:[email protected] | False | 3.1.1 | https://github.com/apache/maven-release | The given tag was not found in the repo | 404 |
| org.apache.maven.surefire:[email protected] | False | 3.5.1 | https://github.com/apache/maven-surefire | The given tag was not found in the repo | 404 |
| com.diffplug.durian:[email protected] | False | 1.2.0 | https://github.com/diffplug/durian | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| org.apache.maven.scm:[email protected] | False | 2.1.0 | https://github.com/apache/maven-scm | The given tag was not found in the repo | 404 |
| ch.qos.reload4j:[email protected] | False | 1.2.22 | https://github.com/qos-ch/reload4j | The given tag was not found in the repo | 404 |
| org.codehaus.plexus:[email protected] | False | 2.15.0 | https://github.com/codehaus-plexus/plexus-compiler | The given tag was not found in the repo | 404 |
| org.apache.maven.doxia:[email protected] | False | 2.0.0 | https://github.com/apache/maven-doxia | The given tag was not found in the repo | 404 |
List of packages from fork(2)
| package_name | deprecated_in_version | provenance_in_version | all_deprecated | github_url | github_exists | github_redirected | archived | is_fork | forked_from | open_issues_count | is_match | release_tag_exists | tag_version | tag_url | tag_related_info | status_code_for_release_tag |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| org.whitesource:[email protected] | https://github.com/whitesource/maven-dependency-tree-parser | True | False | False | True | https://github.com/adutra/maven-dependency-tree-parser | 0 | True | 1.0.6 | https://api.github.com/repos/whitesource/maven-dependency-tree-parser/git/ref/tags/maven-dependency-tree-parser-1.0.6 | Tag maven-dependency-tree-parser-1.0.6 is found in the repo | 200 | ||||
| com.github.cliftonlabs:[email protected] | https://github.com/cliftonlabs/json-simple | True | False | False | True | https://github.com/fangyidong/json-simple | 1 | True | 3.0.2 | https://api.github.com/repos/cliftonlabs/json-simple/git/ref/tags/json-simple-3.0.2 | Tag json-simple-3.0.2 is found in the repo | 200 |
👻What do I do now?
For packages without source code & accessible release tags: Pull Request to the maintainer of dependency, requesting correct repository metadata and proper tagging.
For deprecated packages:
1. Confirm the maintainer’s deprecation intention
2. Check for not deprecated versions
For packages without provenance:
Open an issue in the dependency’s repository to request the inclusion of provenance and build attestation in the CI/CD pipeline.
For packages that are forks
Inspect the package and its GitHub repository to verify the fork is not malicious.
Report created by dirty-waters.
Report created on 2024-11-21 14:51:10
- Tool version: 6119cfe3
- Project Name: INRIA/spoon
- Project Version: v11.1.1-beta-9
@monperrus after the current work with the updates from chains-project/dirty-waters#60, the report is currently as follows (of note, I would emphasize the huge decrease in tags not found!):
Software Supply Chain Report of INRIA/spoon - v11.1.1-beta-9
Enabled Checks
The following checks were specifically requested:
How to read the results 📖
Dirty-waters has analyzed your project dependencies and found different categories for each of them:
Total packages in the supply chain: 351
❗ Packages with no Source Code URL(⚠️ ⚠️ ⚠️ ) 4
⛔ Packages with Github URLs that are 404(⚠️ ⚠️ ⚠️ ) 77
🔧 Packages with accessible source code repos but inaccessible GitHub tags(⚠️ ⚠️ ⚠️ ) 30
🌵 Packages that are forks(⚠️ ⚠️ ) 2
🔒 Packages without code signature(⚠️ ⚠️ ) 10
Fine grained information
🐬 For further information about software supply chain smells in your project, take a look at the following tables.
Source code links that could not be found(81)
List of packages with available source code repos but with inaccessible tags(30)
The package manager (maven) does not support checking for deprecated packages.
List of packages from fork(2)
The package manager (maven) does not support checking for provenance.
List of packages without code signature(10)
All packages have valid code signature.
Call to Action:
👻What do I do now?
For packages without source code & accessible release tags:For deprecated packages:
For packages without provenance:
For packages that are forks
Report created by dirty-waters.
Report created on 2025-01-28 17:06:42